[Dnssec-trigger] Non-functional dnsmasq bugs detection

Paul Wouters paul at nohats.ca
Wed Oct 14 00:20:55 UTC 2020

Are you sure this wasn’t caused by systemd-resolved ? I reported this exact bug there last week. Is this on fedora 33? If so, you cannot just check and rewrite /etc/resolv.conf, you also need to rewrite or symlink the version somewhere in /run/systemd which is used by glibc / getaddrinfo() 


Sent from my iPhone

> On Oct 13, 2020, at 18:42, Petr Menšík via dnssec-trigger <dnssec-trigger at lists.nlnetlabs.nl> wrote:
> Hello DNSSEC users,
> I maintain dnsmasq in Fedora, so I know about some of its bugs.
> Today, I found issues on my provider connection. It uses some Ubiquity
> device running dnsmasq inside. One device is dnsmasq-2.78-23-g9e09429,
> second dnsmasq-2.79-1-2-geff17ee.
> Both detect support for DNSSEC on the first try, but then randomly fail
> here and there to validate some sites during usage.
> I have found it has broken cache. When first query is made with
> +nodnssec, second with +dnssec would get cached reply for the same name,
> but without dnssec records. Unfortunately, it does not work for NULL
> queries used now for nsec3.
> cache OK
> $ HOST=_probe.cz && T=null && R= && dig -t $T $HOST @$R &&
> dig +dnssec -t $T $HOST @$R
> This command delivers always RRSIG, so resolver is detected DNSSEC
> compatible.
> $ HOST=_probe.cz && T=A && R= && dig -t $T $HOST @$R && dig
> +dnssec -t $T $HOST @$R
> This command however never gets RRSIG in second query on that broken device.
> Because dnsmasq is quite common on cheap hardware at home, I think it
> would be worth to detect its bugs and workaround.
> I would propose doubling NSEC3 test, first without DO bit in request,
> then the second with the same name and type with DO bit set. And change
> PROBE_NSEC3_QTYPE to A or AAAA record.
> What would you think about such change? I would prepare pull request,
> once I find enough time. Was there specific reason to use NULL for NSEC3
> probes?
> -- 
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
> <null.txt>
> <a.txt>
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/dnssec-trigger

More information about the dnssec-trigger mailing list